HitmanPro.Alert BETA

Ah I see... The first time I think I did, but still somehow update didn't go as smoothly for FCU.

 

I finally managed to upgrade to Windows 10 1703 Creators update on Saturday. I upgraded HMPA from 3.7.0 build 720 to 721 RC. I kept on noticing several instances in the HitMan Pro log file showing that a registry read was denied for SrTasks.exe. I turned off Credential Theft Protection & disabled Anti-Malware.
I noticed five separate entries for Windows 10 1703 Creators update. I downloaded & ran the Windows update troubleshooter on my computer. I suspect that Credential Theft Protection may be blocking some sort of look up for the Windows update in the registry. I reset the computer a few times to get the Windows 10 1703 Creators update tab. The update took about 30 minutes on my laptop.

 

HitmanPro.Alert 3.7.0 build 721 RC
Windows 7 Ultimate SP1

Mitigation CredGuard

Platform 6.1.7601/x64 v721 06_2a
PID 4020
Application D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe
Description Kaspersky System Checker 1.2

\REGISTRY\MACHINE\SAM\SAM\Domains\Account

Process Trace
1 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe [4020]
"D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe" --service --flash
2 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc_launcher.exe [5048]
3 C:\Windows\explorer.exe [4316]
4 C:\Windows\System32\userinit.exe [4252]
5 C:\Windows\System32\winlogon.exe [912]
winlogon.exe

Thumbprint
789efee4230955347f9fd7163decb5d3928d7339424a374a1d5df2f5b9158dc7
------------------------------------------------------------------------------------------------------------------------
Mitigation CredGuard

Platform 6.1.7601/x64 v721 06_2a
PID 1696
Application C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe
Description EaseUS Data Recovery Wizard 11.5

SAM access denied.

Range = LBA 585016 :512
Read = LBA 584960 :256

Process Trace
1 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe [1696]
DRWUI
2 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRW.exe [4716]
3 C:\Windows\explorer.exe [4228]
4 C:\Windows\System32\userinit.exe [2512]

Thumbprint
e9aac23ec2da17b27038dcf4ceaa06f865c3bc3715d0a15d26ab3f0ee8557d1e
-----------------------------------------------------------------------------------------------------------------------
Mitigation WipeGuard

Platform 6.1.7601/x64 v588 06_2a
PID 5920
Application C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe
Description MakeDisc.exe

Master Boot Record (MBR)

Process Trace
1 C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe [5920]
MakeDisc.exe
2 C:\Program Files (x86)\AOMEI Backupper\Backupper.exe [5996]
3 C:\Windows\explorer.exe [4460]
4 C:\Windows\System32\userinit.exe [4340]
5 C:\Windows\System32\winlogon.exe [980]
winlogon.exe

Thumbprint
aa2bdacb580d62da15435b17133f905a25289ad600c35cf50765224ad82e6954

 

I tried installing HMPA first, and then Comodo. This time, I am not seeing any conflicts. Everything works smoothly. Or maybe it's because CFW issued a new build. Or maybe the whole issue was just a fluke.

 

Quick question: under what circumstances/conditions is it advisable to enable CredGuard?

 

I dunno, that's why I asked nicely. Just seeking information. The description given here is not exactly brimming with details. Which "authentication passwords" -- all (including for websites, banks, etc.), any, only certain types??

 

As long as you are willing to deal with any issues that may arise -- such as the well-known issue with macrium reflect not being able to image a disk -- by all means, go right ahead and enable that protection.

 

Thanks @Peter2150 and @shmu26. I'll go back and review the CredGuard discussion.

 

Hi

Would the real-time malware protection of HMPA (with BD/Kaspersky/Sophos engines) conflict with Emsisoft Antimalware (with BD/self engines) real-time protection?

Also, I supposed I'll need to disable the Windows default exploit protection if I'll to use HMPA?

Thanks

 

Not i am aware of any, in my case i didn't suffered any issues (yet), the scanner on in HMPA seems purely cloud-based, so i guess it may be just redundant.

From what i heard from the Loman brothers, HMPA will take over the one offered by Win10.

 

HitmanPro.Alert build 723 Release Candidate

Screenshot


Changelog (compared to build 721)

• Added protection against dropping shellcode straight into memory from VBA macro code. This mitigation is part of Load Library and triggers a Shellcode alert.
• Added protection against compilation of arbitrary code straight into memory from an application under exploit mitigations, like Office. Such attacks can bypass whitelisting based protection like Windows Defender Device Guard.
  
• Improved Credential Theft Protection by separating LSASS (memory) and SAM protection (disk and registry).
  LSASS memory protection is now enabled by default. SAM protection (disk and registry) is optional, meaning it is disabled by default to allow system backups. We recommend you to enable the protection of the SAM database (Security Account Manager) from the Credential Theft Protection mitigation so its structures in the Windows Registry and local disk are shielded against dumping.
• Improved Code Cave mitigation.
• Improved Import Address Table Address Filtering (IAF) mitigation.
• Improved logging to the Windows Event Log from the Anti-Malware mitigation.
• Improved Hollow Process mitigation to block hijacking of a remote main thread to run arbitrary code.
  
• Fixed generation of Thumbprints for the Credential Theft Protection module with regard to catalog signed files.
• Fixed a ROP technique detection on pidgenx.dll when trying to activate Microsoft Office.
• Fixed a CallerCheck alert associated with Microsoft Power Query and CLR.DLL.
  
• Fixed a rare BSOD caused by the Anti-Malware mitigation.
• Fixed a compatibility issue with Microsoft Hyper-V on Windows 10 version 1709 (Fall Creators Update).
• Fixed a minor memory leak originating from the CryptoGuard anti-ransomware mitigation.

Unless mentioned otherwise, from now on all our builds contain drivers co-signed by Microsoft so they also works on machines with Secure Boot enabled.

Download
http://test.hitmanpro.com/hmpalert3b723.exe

Please let us know how this build runs on your machine. All users running a 7xx beta build are currently automatically updated. Users running build 604 are expected to receive an automatic update early next week (no exact date yet).

Thanks everybody!

 

Yes. Protection of the Security Account Manager (SAM database) on the disk and in the registry is disabled by default to allow system backups. If you enable it, you might run into issues with backup software although we have put effort into making more common backup solutions work, including Macrium Reflect and Acronis True Image. Let us know if you have a backup application that doesn't work in the presence of Credential Theft Protection.

 

Is this tested only with current Macrium Reflect and Acronis True Image versions, or is it also tested with older versions?
(Like, for instance, Acronis True Image 2010 update 3 build 7160, that still works with Windows 7.)

 

So far no problems here, Windows 7 SP1 Pro x64.

 

Just installed this RC and running along side Norton. No problems so far.

@Peter2150 , do you have Security Account Manager enabled, or have you test MR backups with it enabled?

Thanks.

Edit: Haha, I see you had posted while I was composing my message.

 

I haven't really been following this thread closely, but how does the Anti-Malware mitigation (real-time protection) work? Is it likely to interfere with other AVs or security programs?

Thanks.

 

Before a file is executed, HMP.A calculates the hash of the file and checks it in the HitmanPro Cloud. If the file is malware, the execution of this file is denied and you should see a red flyout.

 

Thanks as always, mood. It sounds like there is potentially an avenue for conflict with other security solutions.